Talk:CryptoLocker

This article has been viewed enough times in a single week to appear in the Top 25 Report. The week in which this happened:

March 9 to 15, 2014

A fact from CryptoLocker appeared on Wikipedia's Main Page in the Did you know column on 2 November 2013 (check views). The text of the entry was as follows:

Did you know... that a recently discovered Ransomware trojan accepts Bitcoin?

A record of the entry may be seen at Wikipedia:Recent additions/2013/November. The nomination discussion and review may be seen at Template:Did you know nominations/CryptoLocker.

Wikipedia

Computer Security: Computing Mid‑importance

This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security articles

Mid

This article has been rated as Mid-importance on the project's importance scale.

This article is supported by WikiProject Computing (assessed as Low-importance).

Things you can help WikiProject Computer Security with:

Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information...

Answer question about Same-origin_policy
Review importance and quality of existing articles
Identify categories related to Computer Security
Tag related articles
Identify articles for creation (see also: Article requests)
Identify articles for improvement
Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc.
Find editors who have shown interest in this subject and ask them to take a look here.

Software: Computing Low‑importance

	This article is within the scope of WikiProject Software, a collaborative effort to improve the coverage of software on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.SoftwareWikipedia:WikiProject SoftwareTemplate:WikiProject Softwaresoftware articles
Low	This article has been rated as Low-importance on the project's importance scale.
	This article is supported by WikiProject Computing (assessed as Low-importance).

Crime and Criminal Biography High‑importance

	This article is within the scope of WikiProject Crime and Criminal Biography, a collaborative effort to improve the coverage of Crime and Criminal Biography articles on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Crime and Criminal BiographyWikipedia:WikiProject Crime and Criminal BiographyTemplate:WikiProject Crime and Criminal BiographyCrime-related articles
High	This article has been rated as High-importance on the project's importance scale.

Too much detail tag[edit]

One user has tagged the article as containing too much detail. What detail, specifically, is deemed excessive? Most detail is relevant to how the malware functions and what responses are possible. Information is given which can help to prevent, identify, and resolve an infection, giving factual information without becoming an instruction manual. Pol098 (talk) 13:01, 24 October 2013 (UTC)[reply]

Since my previous comment the article has been largely rewritten by one user. Some quite important details have been lost; in particular that the infection was indeed removed on payment of the ransom. and that the possibility of decrypting the files was lost on removing the virus. I have reinstated those particular points, and made some minor corrections that can be described as pedantic (ransom not necessarily paid to author; PDF icon not necessarily Adobe, etc.). If anybody would like to look at the previous version in case anything removed is thought to merit reinstating, it is here. Pol098, 20:21, 26 October 2013 (UTC) Also, recently added sourced information which seems highly relevant on the DNS sinkhole has been deleted at the same time as a change to sectioning, with an explanation mentioning sectioning only. Pol098 (talk) 13:40, 30 October 2013 (UTC)[reply]

Which cites a forum. And a page which probably cited the same forum. Forums are never reliable sources as required by Wikipedia policy. ViperSnake151 Talk 15:47, 30 October 2013 (UTC)[reply]

Strange goings on[edit]

I added a a section on 'prevention, which stated "As of 18 November 2013 a supplier of antivirus software claimed that it could detect Ransomer—the name given to the Trojan—and 438 variants it knew about, and could detect and remove most Trojan horse malware." Granted, I supplied a 'trade' reference, but if that was a problem other references could have been found. Without this information, the article is unnecesaarily alarmist, and so the information should be included. The word 'prevention' also seems to have offended someone, who believes it 'implies how-to content' - and 'mitigation' doesn't? It's sad to see Wikipedia joining a quite unnecessary panic about this trojan. But hey, that's wikipedia. I shall not revert the changes; I have a life, which is way beyond fighting over edits. But I do hope that more intelligent editors will take an interest. Good Luck. Heenan73 (talk) 12:31, 19 November 2013 (UTC)[reply]

Please read WP:NOTHOWTO. Wikipedia is not a how-to guide. Additionally, how it was worded also felt like the statement was an advertisement for AVG (Wikipedia is not a soapbox or promotional site), and the page did not mention anything about CryptoLocker at all. ViperSnake151 Talk 16:20, 19 November 2013 (UTC)[reply]

You contrive to miss the point. Even if your arguments are correct (they are not) the point I raised is valid - ie that Cryptolocker can be prevented by the simple expediant of using an antivirus - has been effectively censored. Well done; I hope you are proud of your vandalism. You could, of course, have simpley impre=oved my addition - found other references. The "how to" argument is specious and childish; simple rephrasing would have sorted that. Like your 'mitigation' para, huh? As for the reference, Google is your friend (or in your case, likely Bing). This is my last word. Your sad defence of your vandalism shows the worst aspect of a wiki editor - you think you own the page. Heenan73 (talk) 18:04, 19 November 2013 (UTC)[reply]

That is obvious information, and the ref made no reference to CryptoLocker itself. Any computer conscious user should know that. And that is not what we define as "vandalism". ViperSnake151 Talk 18:41, 19 November 2013 (UTC)[reply]

It is NOT obvious information; it is important information that will be far from obvious to most users, who will have read your alarmist text and similar rubbish elsewhere; I seriously do not care what "we" (the 'in crowd') define as vandalism, prefering to use the English language. Suppression of information on false pretexts ("lies") IS vandalism; and I have never, ever seen worse by a wikipedia editor.

"the ref made no reference to CryptoLocker itself" - it didn't need to - context is all.

"Any computer conscious user should know that" - rubbish. And how dare you define what people 'should' know, when what matters is what they DO know - or not.

"Wikipedia is not a how-to guide" - no-one said otherwise; don't patronise.

"felt like the statement was an advertisement" - don't be silly.

And whatever was wrong with my contribution, a responsible editor would have corrected and improved - not suppressed.

I could go on, but I'm bored. I've had enough of your childish behaviour. Time for you to report me and get me banned (so you can hide the evidence). And DO NOT HARASS ME on my talk page. Heenan73 (talk) 12:01, 20 November 2013 (UTC)[reply]

For years, as a prolific Internet user, I have felt an obligation to correct and improve Wikipedia; you have released me from that. I now feel an obligation to expose and mock corrupt editors (on Facebook etc), and an obligation to warn people off editing while jobsworth editors like you are allowed to abuse readers and contributors. Thank you. Now go report me before I vomit ;-) ... Heenan73 (talk) 12:01, 20 November 2013 (UTC)[reply]

A comment on the issue of prevention: the inclusion of information (as against advice as such) on prevention isn't in any way against Wikipedia guidelines; removal of sourced text on those grounds is very questionable. However, the text as included here was both commercially-associated and dangerously misleading. The text implied that anti-virus measures would be effective at preventing CryptoLocker. Anyone in computing knows that relying on anti-virus software is dangerous; it can only ever protect against yesterday's threats. Most threats are indeed not new, and likely to be blocked; but a zero-day exploit is always possible.^[1] Today I ran an executable with PDF icon emailed to me in a .ZIP file through the VirusTotal Web site, which checked it with 41 virus scanners, of which only 17 identified it as malicious. (Such a file is exceedingly suspicious; whether it was CryptoLocker or not I don't know. I ran it in a virtual machine and it didn't seem to be encrypting files or demanding a ransom, but I might not have left it long enough. It didn't do anything visible, maybe just recruited my VM into a botnet or started to download payload programs.) An antivirus software producer's claim that they can block (as of a certain date) all x known (to them) Trojans does not really say anything other than "buy me!". There are various ways (in addition to antivirus software, desirable but not the do-everything solution) to make infection less likely, and to mitigate the effects (offline backup); they are mentioned briefly in the article (though not in a "prevention" section), with links to detailed sources. Most do not require purchasing commercial products (i.e., no issue of advertising), though the labour cost may be significant.

In summary, I don't at all agree with the grounds on which the Prevention section was removed, but its actual content and source given were not reliable.

^ The Yuma Sun, on a CryptoLocker attack: "... was able to go undetected by the antivirus software used by the Yuma Sun because it was Zero-day malware"

Pol098 (talk) 13:29, 20 November 2013 (UTC)[reply]

Not quite fair. Non-expert computer users currently read an alarmist article which seems to imply there is little they can do to protect themselves, let alone deal with the damge. This is not the case. Currently, a simple antivirus (and ALL offer similar information on their ability to deal with it) is very effective SO FAR; with hindsight, I accept that a warning should have been added that that may not always be the case (though, historically, once a trojan has been spotted and added to the programs, they do pretty well. But a responsible editor would NOT have found false pretexts to remove the section; a responsible editor would have sought an independent source, if that was considered vital, and could have re-written the wording to be less 'certain' - as it stands, Wikipedia is giving a less than complete, and very unbalanced picture. And why? Because one editor had a hissy fit when another dared to alter "his" page. That, dress it up hpw ypu like, is vandalism. And if Wikipedia excludes such beg]haviour from its definition of vandalaism, then wikipedia is sadly mistaken - but it goes some way to explaining why rogue editors (like ViperSnake151) get away with it for so long. Heenan73 (talk) 19:05, 20 November 2013 (UTC)[reply]

"a responsible editor would have sought an independent source, if that was considered vital, and could have re-written the wording to be less 'certain'" If you look at the article history, you'll find that I completely rewrote the section worded in a way which made clear that it was from one commercial organisation and valid on a particular date. Another editor chose to remove the section entirely; frankly I don't disagree with this at all. Rather than seek sources (probably non-existent) for what was said, as reliable fact rather than vendor's opinion, I added a reference confirming a CryptoLocker infection despite virus protection. Antivirus software is never to be relied on, it can only handle things it aleady knows about (signature or at least heuristic). This is well-known. Pol098 (talk) 22:19, 20 November 2013 (UTC)[reply]

Interesting that you clearly saw the relevance of my input despite what you call "vendors opinion", and yet now you are happy that the vandal removed it. No-one is - or ever has - suggested that antivirus software in 100% reliable; none the less, in this context, it is a first and vital line of defence. And well YOU know it; and well YOU know that many wikipedia readers do NOT know. We are clearly going around in circles here as you contrive to support the vandal

You know as well as I do that what he did was wrong; you know as well as I do that his stated rationale was wrong; and you know as well as I do that his real motivation - obvious to any five year old, but not to wikipedia, is way beyond wrong. Exactly as I expected. Wikipedia's loss, as editor unity trumps value. I'm clearly wasting my time and yours, so Goodbye. Heenan73 (talk) 00:37, 21 November 2013 (UTC)[reply]

Forgot one thing; interesting you all agree that AVG cannot be trusted to report how many Trojan variations they've found, but you are happy to insert a reference to an unvalidated first-person account - which reads to me like they HAD NOT got decent antivirus protection - but weren't going to admit it. A much more reliable reference. Well done! Heenan73 (talk) 00:41, 21 November 2013 (UTC)[reply]

I thought I'd better, belatedly, make some final comments on my motivations, given that an attempt has been made in bold type by Heenan73 to infer the reasons behind what I have said. This really for readers of this thread, not intended as a continuing dialogue.

"You know ... that what he did was wrong"
- As I've said, clearly and explicitly I hope, I totally disagree with the motives behind what was done ("do-it-yourself" content—not true, it wasn't written in that style, see following section), but don't object to it (what was deleted was largely, I believe, personal opinion, both wrong and without good sources)
"You know ... that his stated rationale was wrong"
- Absolutely
"You know ... that his real motivation is way beyond wrong"
- I have no way of knowing his/her motivation, I don't care, and it's not relevant. You can do the right thing for wrong motives; you can also do the wrong thing for good motives (I have fallen into this on occasion).
"Editor unity trumps value."
- Absolutely not. I edit based on content and what I think is best, never in favour of or against another editor. Also, Heenan73 seems to consider ViperSnake151, myself, and others to be "editors", and him/herself in some way an outsider. In point of fact all editors, including Heenan73, are equal and have exactly the same "rights" and privileges (i.e., the ability to change and save content, and nothing else). The article history clearly shows that ViperSnake151 (the editor mainly complained about) and I have largely been at loggerheads, editing each other's edits (and ViperSnake151 has chosen not to contribute to this, and other, discussions here). I find that Wikipedia often (not always) benefits from constructive (rather than warring) disputes of this nature.
"I'm clearly wasting my time and yours"
- .

Pol098 (talk) 11:41, 24 November 2013 (UTC)[reply]

The help page for how to deal with troublesome editors should just be a link to this conversation. Well played, Pol098. Well played.66.27.174.138 (talk) 14:42, 7 December 2013 (UTC)[reply]

Wikipedia guideline on how-to content[edit]

As this issue has arisen several times, I include here the information from WP:NOTGUIDE:

Instruction manuals. While Wikipedia has descriptions of people, places and things, an article should not read like a "how-to" style owner's manual, advice column (legal, medical or otherwise) or suggestion box. This includes tutorials, instruction manuals, game guides, and recipes. Describing to the reader how other people or things use or do something is encyclopedic; instructing the reader in the imperative mood about how to use or do something is not.

Pol098 (talk) 14:37, 20 November 2013 (UTC)[reply]

Infection of backup[edit]

As someone not very knowledgeable about these issues, I'm suggesting a point that I hope others will edit the article to clarify. One obvious defense against CryptoLocker is to back up files. It's my impression, though, that some backup methods will dutifully back up the encrypted files, erasing the unencrypted ones, with the result that the backup can't be used to thwart CryptoLocker. Without getting into "how to" territory, this article could appropriately elaborate on whether and to what extent CryptoLocker has managed to infect backups and thus get around that particular countermeasure. Thanks to anyone who can add this information! JamesMLane t c 15:47, 27 March 2014 (UTC)[reply]

If there's a source, something about this could be added. All backup methods will, and should, back up the encrypted files; that's what backup does, make a copy of the current version. Proper backup procedure (regardless of threat) is to make and keep multiple generations of off-line backup; this is not new! It's not a topic to discuss in detail here, it has to do with backup techniques, not malware. Pol098 (talk) 19:23, 13 June 2014 (UTC)[reply]

CryptoLocker shut down[edit]

This isn't really my cup of tea so I'll let someone else evaluate these recent news sources:

Leger, Donna Leinwand; Johnson, Kevin (June 2, 2014). "Federal agents knock down Zeus Botnet, CryptoLocker". USA Today.
Leger, Donna Leinwand (June 4, 2014). "Russian hacker engineered dazzling worldwide crime spree". USA Today.
"CryptoLocker malware shut down as mastermind is identified". Sioux Falls Business Journal. June 10, 2014.

--Dr. Fleischman (talk) 22:10, 11 June 2014 (UTC)[reply]

Reportedly the bot was shut down; but, others are still infecting unwary users like me. On August 6th, 2014 FireEye & Fix-IT announced a free service to help infected users decrypt cryptolocker. PCWorld and other reputable businesses provided articles and the link. I have not yet been able to connect with that link to verify it's functionality. — Preceding unsigned comment added by AviationDave4799 (talk • contribs) 12:43, 15 September 2014 (UTC)[reply]

What is CryptoLocker?[edit]

CryptoLocker was a particular piece of malware; since it was taken down there have been several variants using the CryptoLocker name (brand recognition?) It would seem that for the purposes of this article any malware that says "you have been infected by CryptoLocker" (or CryptoLocker 2.0 or whatever) belongs in the article. Maybe TorrentLocker, which has its own forum needs an article too, I don't know (have redlinked it).

A bit like the man who claimed that the plays of Shakespeare weren't written by him, but by another man also called William Shakespeare. Pol098 (talk) 15:19, 14 October 2014 (UTC)[reply]

Your statement contradicts itself. This article is specifically about the main strain of CryptoLocker, and we make passing reference to clones. Ransomware is the general article for these worms; only this one got a significant amount of media coverage. ViperSnake151 Talk 17:39, 14 October 2014 (UTC)[reply]

I stand by what I said; do any others have an opinion? Should this deletion stand? "This article is specifically about the main strain of CryptoLocker": what? Who rules on that? ViperSnake is begging the question. The article is about "CryptoLocker" (its title), not what someone deems is "the real CryptoLocker". In particular, looking at the requirement on an encyclopaedia that it be useful, how are we serving the reader who has "CrypoLocker has locked your computer - send us money" on their screen, and comes here to find "CryptoLocker was closed down and no longer exists"?

(added 15 Oct 14 13:45) For reference, the paragraph that I think belongs in the article (and may be copied from here, unresolved named reference will show correctly in article) is:

In October 2014 it was reported, in many cases in Australia and New Zealand, that an infection describing itself as CryptoLocker was being distributed as an email attachment (typically claiming to be from AusPost regarding a parcel delivery), and behaving in the same way as the early malware.^[1]^[2] According to a Web site that has studied CrypoLocker extensively, there have been other encrypting infections describing themselves as CryptoLocker, in particular one called TorrentLocker^[3] by some experts.^[4]

^ Actrix: An Important warning about the CryptoLocker Virus

^ University of Adelaid, IT Security Announcements: CryptoLocker (again), 8 October 2014

^ TorrentLocker Support and Discussion Thread (CryptoLocker copycat) "If you have been infected with something called CryptoLocker after June 2nd, 2014 then you are not infected with the original CryptoLocker, but instead by a new ransomware using the same name. If you have been infected recently with an infection called CryptoLocker, it is probably the TorrentLocker infection that this topic discusses."

^ Cite error: The named reference details was invoked but never defined (see the help page).

[Added 15, 22 Oct 14, 20:15: I see that the article has since been amended to at least include the new "CryptoLockers", which I think restores much of its usefulness. There needs to be brief mention in the introduction, for people who have just seen a new infection by "CryptoLocker", that malware calling itself that continues to circulate.] Pol098 (talk) 18:11, 14 October 2014 (UTC)[reply]

IMHO, if the malware calls itself something, say, "CryptoLocker", I would argue that it be discussed in the CryptoLocker article as a variant or copycat, even if it's clearly not CryptoLocker. That's generally what most security companies do, as well. JamusDoore (talk) 17:23, 24 March 2015 (UTC)[reply]

By the way, I say what I do because that's how most users of Wikipedia will know it if it's stating its name... by its claimed name. JamusDoore (talk) 17:25, 24 March 2015 (UTC)[reply]

I'd go a bit further: given that the creators of the first CryptoLocker somehow neglected to register their trademark, any ransomware calling itself CryptoLocker is a CryptoLocker for most purposes. Wikipedia is supposed to be a useful resource; people whose computer are saying "you've got CryptoLocker" are going to come here for information (as distinct from an instruction manual). The notion of an "authentic CryptoLocker" is spurious; any attempt to enforce it here needs support from a reliable source that there is the authentic Cryptolocker. Pol098 (talk) 10:00, 25 March 2015 (UTC)[reply]

CryptoWall[edit]

Now that CryptoWall is officially on 3.0, although it went from 1.0 to 2.0 with many minor revisions without actually changing the revision number, and from 2.0 to 3.0 in like fashion, I wonder if it has grown enough to maybe have its own page? Particularly since its impacts have been arguably larger, its tactics have changed, and it operates differently other than in that it encrypts the entire file using similar crypto schemes. Any thoughts?JamusDoore (talk) 16:24, 24 March 2015 (UTC)[reply]

New Fake "CryptoLocker" circulating on the Internet[edit]

A few days ago, in the institution where my wife works they catch it with CryptoLocker-like virus that in all external signs resembles normal CryptoLocker virus. I asked her to send me several "encrypted" files together with their unencrypted copies to analyze them and the first thing I noticed was the difference in their size. The "encrypted" files are smaller than the originals - something that will not happen when encoding with RSA, especially "2048-RSA" as in the message for ransom claimed. This "CryptoLocker" simply use some sort of data compression like in RAR and encrypt like AES. (I guess it's Russian or Polish origin)

Does anyone have more information about this virus? (add .illqtak extension) Enchev EG (talk) 13:54, 28 April 2015 (UTC)[reply]

[1] The Yuma Sun, on a CryptoLocker attack: "... was able to go undetected by the antivirus software used by the Yuma Sun because it was Zero-day malware"

[2] Actrix: An Important warning about the CryptoLocker Virus

[3] University of Adelaid, IT Security Announcements: CryptoLocker (again), 8 October 2014

[4] TorrentLocker Support and Discussion Thread (CryptoLocker copycat) "If you have been infected with something called CryptoLocker after June 2nd, 2014 then you are not infected with the original CryptoLocker, but instead by a new ransomware using the same name. If you have been infected recently with an infection called CryptoLocker, it is probably the TorrentLocker infection that this topic discusses."

[details-5] Cite error: The named reference details was invoked but never defined (see the help page).

[1]

[1]

[2]

[3]

[4]